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Abstract 

The Fischer-Lynch-Paterson theorem (FLP) says that it is impossible for processes in 
an asynchronous distributed system to achieve consensus on a binary value when a 
single process can fail; it is a widely cited theoretical result about network 
computing. All proofs that I know depend essentially on classical (nonconstructive) 
logic, although they use the hypothetical construction of a nonterminating execution 
as a main lemma. 

FLP is also a guide for protocol designers, and in that role there is a connection to an 
important property of consensus procedures, namely that they should not block, i.e. 
reach a global state in which no process can decide. 

A deterministic fault-tolerant consensus protocol is effectively nonblocking if from any 
reachable global state we can find an execution path that decides. In this article we 
effectively construct a nonterminating execution of any such protocol. That is, given 
any effectively nonblocking protocol P and a natural number n, we show how to 
compute the n-th step of an infinitely indecisive computation of P. From this fully 
constructive result, the classical FLP follows as a corollary as well as a stronger 
classical result, called here Strong FLP. Moreover, the construction focuses attention 
on the important role of nonblocking in protocol design. 

An interesting consequence of the constructive proof is that we can, in principle, build 
an undefeatable attacker for a consensus protocol that is provably correct, indeed 
because it is provably correct. We can do this in practice on certain kinds of networks. 



^The current draft includes improvements up to August 30, 2008 and small non technical edits to the July 
17, 2008 version made in August 2011. See Acknowledgements at the end of the article for grants supporting 
this work. 
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1 Introduction 



1.1 Background 



The standard version of the Fisher-Lynch-Paterson theorem is that there is no 
asynchronous distributed algorithm that is responsive to its inputs, solves the agreement 
problem, and guarantees 1-failure termination. This is a negative statement, producing a 
contradiction, yet implicit in all proofs is an imagined construction of a nonterminating 
execution in which no process decides, they "waffle" endlessly. That imagined execution is 
an interesting object, displaying what can go wrong in trying to reach consensus and 
characterizing a class of protocols. The hypothetical execution is used to guide thinking 
about consensus protocol design (illustrated below). In light of that use, a natural question 
about the classical proofs of FLP is whether the hypothetical infinite waffling execution 
could actually be constructed from any purported consensus protocol P, that is, given P, 
can we exhibit an algorithm a such that for any natural number n, a[n) is the n-th step of 
the indecisive computation. 

It appears that no such explicit construction could be carried out following the method of 
the classical proof because there isn't enough information given with the protocol, and the 
key concept in the standard proofs, the notion of valence {univalence and bivalence) , is not 
defined effectively, i.e. they require knowing the results of all possible executions. This 
means that the case analysis used to imagine the infinite execution can not actually be 
decided. Of course, it is not possible to find this infinite execution by simply running a 
purported protocol. Only a proof can show that it will run forever. 

Other authors |Vol04t IBW87j have reformulated the proof of the FLP in a way that singles 
out the infinite computation as the result of a separate lemma, but they do not provide an 
effective means of building the infinite computation and do not use constructive reasoning. 
I refer to Volzer's classical result as Strong FLP; it is a corollary of the effective 
construction given here. 

The key to being able to build the nonterminating execution is to provide more 
information, which we do by introducing the notion of effective nonblocking, defining 
bivalence effectively, and introducing the idea of a v-possible execution. We use the term 
bivalence in most of this article to make comparison with the classical ideas clear, but 
when contrasting this work to others, we will use the term effective bivalence. 

Effective nonblocking is a natural concept in the setting in which we verify protocols using 

^In the original FLP article the authors say: Let C be a configuration in an execution of the protocol, 
and let V be the set of all decision values reachable from C. C is bivalent if V is {0, 1} and univalent if V is 
{v} for V a Boolean. 
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constructive logic, say the rules of the Nuprl formal programming environment or of the 
Coq prover |BYC04j . The logic of Nuprl is Computational Type Theory (CTT) |ABC+06| , 
which is constructive, and the logic of Coq is the Calculus of Inductive Constructions 
(CIC), closely related to CTT and also constructive. So when we prove that a protocol is 
nonblocking, we obtain the effective witness function used in the definition below. Mark 
Bickford in his Nuprl formalization of consensus protocols has done formal proofs of 
nonblocking from which Nuprl can extract the deciding state and could extract an 
execution as well. 

The importance of nonblocking can be seen from this "blocking theorem" by Robbert van 
Renesse in |Rvr08] : A consensus protocol that guarantees a decision in the absence of 
failures may block in the presence of even a single failure. This is justified by citing FLP, 
and it follows cleanly from CFLP as I show below. Robbert van Renesse says: "Blocked 
states occur when one or more processes fail at a time at which other processes cannot 
determine if the protocol has decided. A protocol that tolerates failures must avoid such 
blocked states" . Protocol designers actually carry out an analysis of blocking in debugging 
designs. A constructive proof of the blocking theorem could find the blocking scenario after 
designating a process that fails. Knowing precisely the number of blocking scenarios and 
their properties would be useful in evaluating protocol designs. 

It is fascinating that once we use the concept of effective bivalence, it is possible to 
automatically translate some nonconstructive proofs of FLP into fully constructive ones 
from which it is possible to build the nonterminating execution. Here we look at the 
simpler result that we can effectively build nonterminating executions. These are 
executions that endlessly waffle about the decisions that are possible, decisions actually 
taken by decisive executions. 

Since it is not possible to provide an algorithm, i.e. a terminating consensus procedure, we 
start with the kind of protocol that can be built, and stress the possibility of 
nontermination by calling it a procedure not an algorithm. 



1.2 Computing Model 

The results here depend on the computing model behind the Logic of Events, |BC08] which 
is essentially embedding the standard model of asynchronous message-passing network 
computing into Computational Type Theory. The standard model is presented in the book 
Distributed Computing of Attyia & Welch |AW04j and is similar to the one in |FLP85j . We 
assume reliable FIFO communication channels. 

A global state of the system consists of the state of the processes and the condition of the 
message queues. An execution is an alternating sequence of global states and actions taken 
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by processes. Thus an execution a of distributed system S determines sequence of global 
states, Si, S2, S3, .... These are also called configurations of the execution. Execution is fair 
in that all messages sent to nonfailing processes will eventually be read and all enabled 
actions will eventually be taken by processes that do not fail. 

A step of computation can involve any finite number of processes reading a message from 
an input channel, changing the internal state, and sending messages on output channels. In 
the proofs here, we pick an order on these steps so that there is always a single action 
separating the global states. We say that a schedule determines the order of the actions. 



1.3 Definitions 

Definition: A Boolean consensus procedure on processes Pi i = 1, ...,n tolerating t failures 
is a possibly nontcrminating distributed procedure P which is deterministic (no 
randomness), responsive on uniform initializations, consistent (all deciding processes agree 
on the same value). 

P is called effectively nonblocking if from any reachable global state s of an execution of P 
and any subset Q oi n — t nonfailed processes, we can find an execution a from s using Q 
and a process Pa in Q which decides a value v e B. 

Constructively this means that we have a computable function, wt{s,Q) which produces an 
execution a and a state Sa in which a process, say Pa decides a value v. 

In this setting, a consensus procedure is responsive if when all processes are initialized to 
V, they terminate with decision v unless they fail. This means that all nonblocking 
witnesses will return v as well. 

The nonblocking property requires that consensus procedures tolerating t failures can use 
any subset of n — t processes to pick out from any partial execution a process that makes a 
decision. This is enough information for an algorithmic adversary to prevent a 
deterministic consensus procedure, one that does not rely on randomness, from terminating 
on every execution. The adversary can keep adjusting the schedule of executions to prevent 
processes from deciding. 

It is important to have good notations for the class of all processes of P except for Pj. We 
denote that class by Qi, because we want to factor executions into steps of a specified 

process and those of the remaining processes. These are disjoint sets, and we can combine 
executions from them by appending one to another and infer joint properties from the 
separate properties of each. 
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Definition: For & v eM, a global state s is v-possible iff for some subset Q oi n — t 
processes we can find using the nonblocking witness a state s'q and a process Pq in s'q that 
decides v. That is, wt{s, Q) produces a computation ending in s'q. 

Definition: A global state h is bivalent iff wc can find executions cto and ai from h that 
decide and 1 respectively. We can pick out the deciding process from the execution. A 
state is bivalent via Qi if neither execution involves a step of process Pj. Note, if b is 
bivalent, we can effectively exhibit the executions and cti. 

Fact: It is decidable whether the global states of a consensus procedure are v — possible. 
Note, we can't decide bivalence. 



1.4 Summary of Results 

Initialization Lemma: For any effectively nonblocking consensus procedure P with 
n > 1, there is a bivalent initial global state bo. 

One Step Lemma: Given any bivalent global state b of an effectively nonblocking 
consensus procedure P, and any process Pi, we can find a extension b' of b which is bivalent 
via Qi. 

Theorem (CFLP): Given any deterministic effectively nonblocking consensus procedure 
P with more than two processes and tolerating a single failure, we can effectively construct 
a nonterminating execution of it. 

We also say that P can endlessly waffle. The proof is to use the Initialization Lemma to 
find a bivalent starting state bo and then use the One Step Lemma to create an unbounded 
sequence of bivalent states. 

CoroIlEiry (FLP): There is no single-failure responsive, deterministic consensus algorithm 
(terminating consensus procedure) on two or more processes. 

Corollary (Strong FLP)*: Given any nonblocking deterministic consensus procedure on 
two or more processes, it has a nonterminating execution. 

Corollary (Blocking)*: If all executions of consensus procedure P terminate in a 
decision when no process fails, then there is a global state on which P blocks when one 
process fails. 

The asterisk means that the results are not constructive, they use classical logic. To stress 
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that an existence claim is not constructive, we sometimes say that an object such as an 
execution is constructed using magic; this means that our proof requires nonconstructive 
logical rules in showing that the object exists, rules such as the law of excluded middle or 
proof by contradiction or Markov's principle, or the classical axiom of choice, etc. 



1.5 Relationship to the Original FLP Proof 

Some of these results correspond closely to the lemmas used in the Fischer, Lynch, 
Paterson paper |FLP85] . For example, our Initialization Lemma is their Lemma 2, our One 
Step Lemma is close to their Lemma 3, and the Commutativity Lemma used in the next 
section is their Lemma 1. Our FLP Corollary is their Theorem 1. In the proof of Theorem 
1, they structure the argument around an unstated Lemma which in their words is 
essentially "...we construct an admissible run that avoids ever taking a step that would 
commit the system to a particular decision." They call these runs forever indecisive. 

If they had defined a consensus procedure as above and had stated nonblocking classically, 
this lemma would he: Any nonblocking consensus procedure has forever indecisive 
executions, which I call Strong FLP; it is close to Volzer's classical result |Vol04] . Instead, 
Fischer, Lynch, and Paterson get nonblocking from assuming at the start for the sake of 
contradiction the existence of a terminating consensus algorithm. We can see the Strong 
FLP result emerging by factoring out an assumption they need from assuming the 
existence of a terminating protocol and packaging it into an explicit statement of a 
"Lemma 0" . I hope to discuss, in the future, this technique of "refactoring" theorems to 
make them constructive. 



2 Proofs 

2.1 Key Lemmas 

Fact: It is decidable whether the global states of a consensus procedure are v — possible. 

To decide whether a state is v — possible we note that the definition of effective 
nonblocking provides a function, say wt that takes the state and a subset of n — t processes 
and asks for each such subset whether the deciding state decides or 1. It is useful to 
introduce a notation for sets of processes that do not include a particular process Pf, let Qi 
be all processes of P except for Pj. Given state s, we make this decision for processes 
tolerating one failure by computing wt{s, Qi),...,wt{s, Qn). 
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Initialization Lemma: For any effectively nonblocking consensus procedure P, there is a 
bivalent initial global state 60. 

Proof 

The argument for this is similar to the one used in the classical FLP result, but we employ 
the decision of witnesses rather than a purported consensus algorithm to find evidence for 
bivalence. We first note that if all processes are initialized by v, then by responsiveness, 
the consensus procedure must terminate with decision v, and all nonblocking witnesses 
decide v. So if the initial state is all 0, then the witness decides and hkewise for 1. 

Now consider a sequence of initial states where we start from the all initialization, call it 
So and progressively change the initialization, processes by process, from to 1 until we 
reach the initialization of all I's. Let these states be sq, si, Sn, where n is the number of 
processes. For each initial state, wc ask whether there is a 1 deciding state produced by the 
witness function, which must happen by the time we reach the initialization of all I's. 

Let Sk be the first state where a decision is 1, say wt{sk, Qm) decides 1 for some m, and 
note that A; > 0, is initialized to 1 for the first time, and the process Pk+i is still 
initialized to if A; < n . 

Consider the computation a from wt{sk-i,Qk) in which process Pk does not participate 
and the decision is 0. We can replay this from s^. To the processes participating, this 
computation will look like one with initialized to 0, i.e. one from Sk-i, and we have 
found an execution that results in a decision from sj. as we need to prove, that is is 
bivalent. Take bo — s^- 

Qed 

In the classical argument, one assumes that the procedure P terminates, and on Sk a 
computation a terminates with 1 for the first time in the sequence. The next step is to 
alter the schedule and produce a new computation a' in which Pk is slow and does not 
affect the decision. In this case the computation looks just like one in which Pk is 
initialized to 0, so the result is as for Sk-i, the value is 0. Thus Sk is bivalent. 

The next lemma is the heart of the argument. Wc use it in the main theorem, CFLP, to 
build a round-robin schedule in which each process takes a step from one bivalent state to 
another, thus generating an unbounded sequence of states in which no process decides. In 
addition to the proof given below, I also include in the last section of the article a program 
that shows the computational content of this proof and also an elegant condensed version 
of the proof that David Guaspari produced in response to this proof and its algorithm. 

One Step Lemma: Given any bivalent global state b of an effectively nonblocking 
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consensus procedure P, and any process Pj, we can find a extension h' of h wliicli is bivalent 
via Qi. 

Proof 

If we knew that bivalent h was already bivalent via Qi, we would be done. First, we can 
calculate one deciding state using wt{h, Qi)] suppose that is do which decides at the end 
of execution ao- Since h is bivalent, we also have an execution a\ that decides 1 and may 
take steps in process Pj (see figured]). 

Our plan now is to move backwards from di along execution ai step by step toward state h 
using the processes in ai, which include process P,, looking for a state h' which is bivalent 
via Qi (see figure [2]). We first find a state and a computation such that the final steps to a 
1 decision don't involve any Pj steps. 

Suppose that the last step to di is from state u via P^ ioi k ^ i by action a, then we have a 
1 decision using Qi from u as we wished, and we will check to see if wt{u, Qi) computes a 
decision. If so we are done. Otherwise we look at the next process step in ai. Before we 
look at the method of moving from u back toward b, we need to consider how to handle Pj 
steps, so look at the case when the last step to di was taken by Pj, i.e. k = i. 

U k = i, then we look for a new path via Qj to a 1 decision. Compute wt{u, Qi) and let the 
deciding state be d' by execution /? (see figure [3]). We claim that d' must decide 1. To see 
this, notice that by the Commutativity Lemma below, /3 followed by action a of Pj leads to 
the same state as action a followed by computation /?, that is aj3{u) = j3a{u) (as in figure 
[3]). But since di is a deciding state, aj3{u) must also decide 1 by the Agreement property of 
P. Then the execution 13a must decide 1 as well. So by Agreement applied to d' , that 
deciding state must decide 1. Now /3 is a Qj path that decides 1, and we have moved one 
step closer to h on the path ai. 

Now we keep moving back from u along ai toward h showing that we can maintain a path 
via Qi to a state that decides 1 and looking for a Qi path to a deciding state. We will 
find such a path, namely ao by the time we reach h if not before. 

As we move back from u toward 6 on ai, suppose we encounter a P^, step k ^ i with action 
a, say going from state s to s' . We know from the construction that wt{s', Qi) does not 
lead to a decision, and we look at the predecessor state s, and compute wt{s, Qi). If is 
decided, and k i, then we are done, and we take b' = s. However, if k = i then we need a 
different analysis. 

Thus suppose we find a state s' reached by an action a of Pj. Notice that there is by the 
construction so far a computation from s' to a 1 decision via Qi, either along some /? or 
along ai. 
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Now compute wt{s, Qi) and let the result be rf', a deciding state. We consider two cases 
based on the decision at d' . 

If d' decides 0, then let a' be the computation from s to d' . We can use Commutativity and 
Agreement to show that this computation can be replayed from s' with same results, a 
decision. This is a witness that s' is bivalent via Qi and finishes the construction, with 
h' = s' (see figure H]) . 

If d' decides 1, then we have a new execution via Qi, say /3 from s to a 1 deciding state, say 
d[. Moreover, we have taken another step closer to b along ai. 

We continue in this manner, incorporating Pj. steps into the ai path or building a new /? 
path to a 1 deciding state until we either reach b or find a state s before then that is 
bivalent via Qi. 

Qed 

Here are diagrams of the constructions we just described. In the section on further details 
and alternatives, I also include a program that executes the computation implicit in this 
proof. 




di d'^ 
Figure 1: lemma-A Figure 2: lemma-B 
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Figure 3: lemma-C Figure 4: lemma-D 



2.2 Main Theorem (Constructive FLP) and Corollaries 

Theorem (CFLP): Given any deterministic effectively nonblocking consensus procedure, 
we can find an infinite execution. 

Proof 

The unbounded execution a starts with a bivalent initial state feg known to exist by the 
Initialization Lemma. We now schedule a round-robin execution of each process Pi and 
action a extending the current bivalent state, say s^, to a state 6' which is bivalent via Qi 
by the One Step Lemma. At this state, we apply the action a of Pi unless it has already 
been applied in reaching 6'. We can show that m(6') is also bivalent via Qi by the 
Commutativity Lemma, and thus we can repeat the construction using another process, 
say Pj and its enabled action. Wc compute wt{m{b'),Qj) and look for a witness with the 
opposite value, wt{m{b'), Q^) or use the Qi execution at m{h') with the opposite valence. 

Now find an extension that is bivalent via Qj using again the One Step Lemma. In this 
manner we fairly execute steps of all processes, yet never reach a deciding state. 

Qed 

CoroIIeiry (FLP): There is no single-failure responsive deterministic consensus algorithm 
(terminating consensus procedure). 

Proof 

Assume that A is such an algorithm. Let ho be a bivalent initial state. Algorithm A is the 
nonblocking witness for any reachable state, thus A is a consensus procedure, and thus does 
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not terminate. So it is false that such an algorithm exists according to the CFLP Theorem. 
Qed 

Note, this result is constructive, and its content is a contradiction, not an infinite execution. 

Corollary: If consensus procedure P is effectively nonblocking, then we can find 
nonterminating executions even if no process fails. 

We note that in our construction of an infinite computation that does not decide, none of 
the processes fails. 

CorollEiry (Strong FLP)* If consensus procedure P is nonblocking, then some execution 
of it is infinite. 

We use the axiom of choice and the law of excluded middle to build a noncomputable 
witness function for nonblocking and then follow the construction in CFLP. 

Corollary (Blocking)*: Given a consensus procedure A that terminates when there are 
no failures, there is by magic a computation that blocks (from which no decision is 
possible) when a single process fails. 

Proof 

Because all execiitions of A must terminate when no process fails, and because for 
nonblocking protocols there is always a nonterminating execution even when no process 
fails, A cannot be nonblocking. Thus, by classical logic, there is a blocking global state. 

Qed 



2.3 Further Details and Alternatives 

There are other technical details and further intuitive insights behind the lemmas that are 
worth presenting. 

Initializations The following notations help us make the Initialization Lemma more 
compact. Let sj be the initialization in which Pi is initialized to 1 for all i < j and Pj is 
initialized to for alH > j ior i — 1, n. 

To find the first Sk where wt{sk, Q) = 1 for some Q, we evaluate wt{si, Qj) systematically. 
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increasing i after trying all subsets Qj for that i. We know that these witnesses must 
eventually produce a 1 value because when k = n, then wt{sk, Q) = 1 for all Q. 

Let Sk be the first initialization producing the decision 1 using the nonblocking witness, say 
wt{sk, Qm) decides one. Notice that wt{sj, Qi) = for all j < k and alH in 1 < « < n, and 
in particular, wt{sk-i, Qk) = 0, say by execution ao. If for some Q we have wt{sk, Q) 
decides 0, then we are done. If not, we can replay computation ao from Sk in which process 
Pfc is scheduled to run very slow and not participate in the decision. To the processes 
participating, this computation will look like one with initialized to 0, and there will 
thus be an execution that results in a decision from Sjt as we need to prove. 

It seems natural to argue that wt{sk-i, Qk) = wt{sk, Qk) since Pk does not participate and 
the states differ only on Pk initializations, but we do not impose conditions on the witness 
about how it computes, so from Sk the algorithm might produce a different computation, 
say with a different schedule on the participating processes. However, we can replay the 
computation from Sk-i as in the above proofs. 

Effective Bivalence In proving the One Step Lemma we need a key property of disjoint 
sets of processes called commutativity. It is this. 

Simple Commutativity Lemma: Let s be a global state and consider disjoint sets of 
processes, Pj and Q^. Suppose there is a computation ai from s using Qi to state Si and 
computation a2 from s using Pj to state S2. Then there is a global state s' and a 
computation from si via Pj to s' and from S2 to s' via Q. 

Proof 

We can think of a2{ai{s)) — s' — ai{a2{s)) because the two computations are disjoint and 
can be ordered in either way, and we can delay messages from Pj to the processes in Qi so 
that the two computations do not interact. 

Qed 

Commutativity Lemma: Let s be a global state and let Q and Q be disjoint sets of 
processes. Suppose there is a computation ai from s using Q to state Si and computation 
a2 from s using Q to state S2- Then there is a global state s' and a computation from si 
via Q to s' and from S2 to s' via Q. 

This result follows by induction from the simple case by delaying all messages between the 
disjoint sets, thus a2(ai(s)) = s' = ai{a2{s)) because the two computations are disjoint 
and can be ordered in either way. 
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Alternative Proof of the One Step Lemma 

David Guaspari provided the following elegant compressed account of the previous proof of 
the One Step Lemma. It reveals quite clearly how simple the constructive proof of the FLP 
theorem can be, hence how simply the FLP result can be explained. Its simplicity suggests 
that it is worth applying the technique to open problems in distributed computing and to 
simplifying known proofs. 

By definition, a bivalent state b can fork into different execution paths to and 1 decisions. 
Call a pair of these paths, say {a, /3) a fork. We call a fork an i-fork when one of the paths 
does not involve any steps of process Pi and a full i-fork when neither path involves steps 
of P.. 

The way we use forks in the One Step Lemma introduces an asymmetry on the paths. 
There will be a distinguished process Pi for which we are seeking a full z-fork. For a 
bivalent state it is trivial to find an z-fork for any i by just computing wt{b, Qi) and using 
that result as one branch. To simplify managing this asymmetry, we agree that the j3 
branch of an i-fork will be the one without steps from Pj. The a path may or may not have 
Pi steps. If is an i-fork, let i — len{<f)) be the number of Pi steps on the a path. Then (p is 
a full i-fork iff i — len{(j)) = 0. 

Fork Modification Lemma: Let be an i-fork at state s with i — len{(j)) = m > 0. 

Suppose ttm is the last Pi action in the a branch, taking state Sm-i to state s^. Let v be 
the decision reached by Qi), then: 

1. If is the decision reached by /5, we can effectively construct a full i-fork from s^, and 

2. If is the decision reached by a, we can effectively construct an i-fork (j)' from s such 
that i — len{(f)') < i — len{(f)). 

Proof 

For notational convenience, suppose that the /3 path decides 0. Figure [5] shows the i-fork 
(f) = {a, (3), together with wt{sn-i, Qi)- We have, in a slightly informal notation: 

• a = 6 ■ Un ■ e 

• 7 is the sequence returned by wt{sn~i, Qi) and b is its final state 

• ttn is an action of process Pi 

• none of the sequences /3, 7, or e contains an action from process Pi 

• di decides 1 and do decides 
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/ 





Figure 5: An «-fork 



Case 1: In this case h decides 0. Consider figure [6l Because a„ is an action of process Pi 
and 7 contains no actions from Pi the parallelogram commutes, and the paths a„ ■ 7 and 
7 ■ a„ lead to the same state, c, which must decide because h does. So (e, 7) is a full z-fork 
from Sn. 




Figure 6: A commuting diagram 

Case 2: In this case, h decides 1. Then = [8 ■ 7, /3) is an i-fork at s and 
i — len{(/)') < i — len{4>'). 

Qed 
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One Step Lemma 



Given any fork at s and any i, we can effectively construct a state s' reacfiable from s and 
a full i-fork at s'. 



Let {a, (3) be a fork at s and let 7 be the execution sequence returned by wt{s,Qi). Then 
either (a, 7) or {/3, 7) is an i-fork. Now apply Fork Modification repeatedly. 



A Program for the One Step Lemma 

The computational content of the One Step Lemma is a program whose input is a bivalent 
state and a process Pj and whose output is a state that is bivalent via Qi. 

Logical Conditions: b is bivalent; ai is an execution path to di, cuq is an execution path to 
do] Pi is the designated process; Pk is any process. 

Program Variables and Code Segments: 

• S, S' denotes global states on path ai from b to di. 

• P is the process taking S to 5" 

• Path is the execution path from S' to a state deciding 1 

• pred{P) finds the predecessor process on ai 

• pred{S) finds the predecessor state on cci, e.g. pred{S') — S. 

• Advance is the code P :— pred{P); S' :— S; S :— pred{S) (This code finds the next 
step moving toward b on ai.) 



Proof 



Qed 



Invariants: 
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pred{S') = S 



II 



Path is a Qi path from S"' to a 1 deciding state. 
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There is no Qi path known yet from 5" 



to a deciding state. 
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Initially S is di. 
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Begin (Move along a, from rf, toward b) 

While(5' ^ b L wt{S, Qi) finds execution path ^ to decide(l)) do 

decide [P = P^; 

case P = Pi{S S') then Path := /3; Ad^jonce; 

case P^Pk{k^i){S ^ S') then Pat/i := A;; At/^;ance] 

od 

if s = 6 then stop (fe' = 6, is path to c/q deciding 0, Path decides (i))and is in Qi 
if wt{S, Qi) decides by path a' then 

decide (F = P,; ) 

case P = Pi then stop b' = S', a' is path to decide (0) from S' 

by commutativity argument to carry 
a' to state 5", Path is a Qi path to decide (1) 
case P — Pk then Path :— Path P^; stop (b' = s, a' is 

path to decide(O)) 

Path is path to decide(l)) 

End 



Figure 7: One Step Program 

Acknowledgements 

This work was funded by NSF grant CNS 872612445 and by the Information Directorate of 
the Air Force Research Lab (AFRL) at Rome, grant FA 8750-08-2-0153. 

I want to thank Robbert VanRenesse for explaining consensus algorithms to me, for 
drawing my attention to the importance of the nonblocking property, and for studying my 
argument - a help in making it more succinct. I also want to thank Mark Bickford for 
responding to my early ideas for this proof and Uri Abraham for listening to my argument 
and sharing his course notes on the FLP theorem and providing pointers to the literature. 
Shlomi Dolev pointed out possible practical uses of the results that I continue to examine. 
David Guaspari was very helpful in reading my proof and drawing attention to points that 
needed clarification or correction. He also provided a very elegant condensation of the One 
Step Lemma that I sketched in the last section. 



References 

[ABC-l-06] Stuart Allen, Mark Bickford, Robert Constable, Richard Eaton, Christoph 
Kreitz, Lori Lorigo, and Evan Moran. Innovations in Computational Type 



16 



Theory using Nuprl, Journal of Applied Logic, Elsevier Science, 2006, 428- 
469. 

[Abr99] Uri Abraham. Models for Concurrency, Gordon and Breach Science Pubhsh- 

ers, 1999. 

[AW04] Hagit Attiya and Jennifer Welch. Distributed Computing, 2nd Edition, Wiley, 

2004. 

[BYC04] Yves Bertot and Casteran Pierre. Interactive Theorem Proving and Program 
Development; Coq'Art: The Calculus of Inductive Constructions, Texts in 
Theoretical Computer Science, Springer- Verlag 2004. 

[BW87] Michael F. Bridgland and Ronald J. Watro. Fault-Tolerant Decision Making 

in Totally Asynchronous Distributed Systems (Preliminary Version), ACM 
Symposium on Principles of Distributed Computing, 1987, 52-63. 

[BC08] Mark Bickford and Robert L. Constable. Formal Foundations of Computer 

Security. In Formal Logical Methods for System Security and Correctness, Vol 
14. 2008, 29-25. 

[FLP85] Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson. Impossibility 
of distributed consensus with one faculty process, volume 32 of J ACM, pages 
374-382, 1985. 

[Lyn96] Nancy Lynch. Distributed Algorithms. Morgan Kaufmann Publishers, San 

Mateo, CA, 1996. 

[Rvr08] Robbert van Renesse Personal Communication, 2008. 

[Vol04] Hagen Volzer, A constructive proof for FLP IPL, 92,2004, 83-87. 



17 



